DHS outlines EIDBI crackdown after vendor audit and warns CMS seeks $2 billion Medicaid withhold

Temporary Commissioner Shereen Gandhi told the House Fraud Prevention and State Agency Oversight Committee that the Department of Human Services has a “zero tolerance for fraud” in Medicaid EIDBI services and is moving to strengthen provider accountability.

Gandhi said DHS has implemented immediate program‑integrity steps and is working with the Centers for Medicare and Medicaid Services (CMS) after CMS rejected the department’s initial corrective action plan. "CMS rejected that plan and stated its intent to withhold $2,000,000,000 in Medicaid funding," Gandhi said, and DHS submitted a revised plan on Jan. 30 and is appealing the decision.

DHS Inspector General James Clark described a recent surge in oversight: the Office of Inspector General conducted 338 compliance site visits between October 2024 and July 2025, which Clark said led to 54 voluntary provider closures and 18 terminations. He said DHS has 102 open EIDBI investigations and roughly 38 payment suspensions related to EIDBI entities.

John Connolly, deputy commissioner and state Medicaid director, said DHS contracted a vendor to produce a vulnerability analysis of 46 months of claims to design an enhanced prepayment review. Connolly warned the committee that some vendor analytics produced many flags: "two of the different analytics or tests that the vendor applied to the claims are what's producing the vast majority of these flags," and DHS is working with the vendor to refine those analytics.

Committee members pressed DHS on the vendor finding that roughly 90% of claims were flagged as problematic. Gandhi and Connolly cautioned that a flagged claim does not automatically indicate fraud or incorrect service and said DHS will use iterative analytics and further review to distinguish false positives from illegitimate billing.

DHS stressed changes rolling out this year. Clark said DHS designated EIDBI as a high‑risk service in 2025, implemented provisional licensure with a statutory application deadline of May 31, and plans large‑scale provider revalidation, including unannounced site visits for revalidated providers. Connolly described other safeguards including enhanced prepayment claims review, criminal background revalidation, and a freeze on new providers while revalidation proceeds.

Gandhi and Clark also warned that public disclosure of detailed vulnerability markers risks providing a roadmap to bad actors; they signaled they are willing to brief legislators in private on markers while keeping specific investigative techniques confidential. "If someone’s figured it out, we want to stop them. We don't want to give the road map to anybody else," Gandhi said.

What’s next: DHS said it will continue iterative refinement of analytics, complete revalidation and provisional licensure steps by the statutory deadlines, and pursue criminal and civil referrals where warranted. The department also promised to provide additional data and private briefings to legislators who request them.